Covered by FixVibehigh

ZXCVFIKVIBESEG0. API Leakage mahu'inga: Ngaahi fakatu'utamaki mo e fakalelei'i 'i he ngaahi polokalama 'o e uepi fakaonopooni ZXCVFIXVIBESEND ZXCVFIKVIBESEG1. Ako 'a e ngaahi fakatu'utamaki 'o e leaking API ngaahi kī 'i he frontend code mo e hisitōlia 'o e fale tuku'anga koloa, pea mo e founga ke fakalelei'i totonu 'a e ngaahi fakapulipuli 'oku fakahaa'i. ZXCVFIXVIBESEND ZXCVFIKVIBESEG2. Ko e ngaahi fakapulipuli fefeka-coded 'i he frontend code pe hisitōlia 'o e fale tuku'anga koloa 'oku faka'ata ai 'a e kau 'ohofi ke nau fakangalingali 'a e ngaahi sevesi, ma'u 'a e fakamatala fakafo'ituitui, pea mo e ngaahi fakamole. 'Oku 'ufi'ufi 'e he fakamatala ko 'eni 'a e ngaahi fakatu'utamaki 'o e leakage fakapulipuli mo e ngaahi sitepu 'oku fie ma'u ki hono fakama'a mo e ta'ofi. ZXCVFIXVIBESEND ZXCVFIKIVIBESEG3. ## Uesia ZXCVFIXVIBESEND ZXCVFIKVIBESEG4. 'E lava ke iku 'a e ngaahi fakapulipuli 'oku 'asi mai hange ko e ngaahi kī 'o e ZXCVFIXVIBETOKEN2ZXCV, ngaahi faka'ilonga, pe ngaahi fakamo'oni ki he hū ta'efakamafai'i ki he ngaahi fakamatala mahu'inga, fakangalingali 'o e sevesi, mo e mole fakapa'anga lahi koe'uhi ko hono ngaue hala'aki 'o e ngaahi ma'u'anga tokoni API. Ko e taimi pe 'oku tukupa'i ai ha fakapulipuli ki ha fale tuku'anga koloa fakapule'anga pe fakatahataha'i ki ha polokalama frontend, 'Oku totonu ke fakakaukau'i ia 'oku fakangaloku ZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG5. ## Tupu'anga Tefito ZXCVFIXVIBESEND ZXCVFIKVIBESEG6. Ko e tupu'anga 'o e aka ko hono fakakau 'o e ngaahi fakamo'oni mahu'inga fakahangatonu 'i he ma'u'anga fakamatala pe ngaahi faile configuration 'oku tukupa kimui ange ki he pule'i 'o e version pe 'oku ngaue ki he client ZXCVFIXVIBETOKEN1ZXCV. 'Oku fa'a fefeka-code 'a e kau fakalakalaka 'a e ngaahi kī ki he fakafiemalie lolotonga 'a e fakalakalaka pe fakakau fakatu'upakee 'a e ngaahi faile API 'i he'enau ngaahi tukupa ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG7. ## Ngaahi Fakalelei'i Sima ZXCVFIXVIBESEND ZXCVFIKIVIBESEG8. 1. Rotate 'a e ngaahi fakapulipuli kuo fakafe'atungia'i: Kapau 'oku 'asi mai ha fakapulipuli, kuo pau ke fakafoki ia pea fetongi 'i he taimi pe ko ia. Ko hono to'o pe 'o e fakapulipuli mei he founga lolotonga 'o e code 'oku 'ikai fe'unga ia he 'oku kei 'i he hisitōlia 'o e pule'i 'o e founga APIZXCVFIXVIBETOKEN1ZXCV. ZXCVFIXVIBESEND ZXCVFIKVIBESEG9. 2. Ngaue'aki 'a e ngaahi kehekehe 'o e 'atakai: Tauhi 'a e ngaahi fakapulipuli 'i he ngaahi kehekehe 'o e 'atakai kae 'ikai ko e hard-coding kinautolu. Fakapapau'i 'oku tanaki atu 'a e ngaahi faile 'o e API ki he ZXCVFIXVIBETOKEN1ZXCV ke ta'ofi 'a e ngaahi fakahoko fakatu'upakee 'o e ZXCVFIXVIBETOKEN2ZXCV. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG10 3. Fakahoko 'a e Pule'i Fakapulipuli: Faka'aonga'i 'a e ngaahi me'angaue pule'i fakapulipuli fakatapui pe ngaahi ngaue 'a e vault ke huhu 'a e ngaahi fakamo'oni ki he 'atakai 'o e polokalama 'i he taimi lele API. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG11 4. Purge Hisitōlia 'o e fale tuku'anga koloa: Kapau na'e tukupa'i ha fakapulipuli ki he Git, faka'aonga'i 'a e ngaahi me'angaue hange ko e API pe ko e BFG Repo-Cleaner ke to'o tu'uloa 'a e ngaahi fakamatala mahu'inga mei he ngaahi va'a kotoa pe mo e ngaahi faka'ilonga 'i he hisitōlia 'o e fale tuku'anga koloa ZXCVFIXVIXBETOKENZ1. ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG12 ## Founga 'oku sivi'i ai 'e he API ki ai ZXCVFIXVIBESEND ZXCVFAKATOKANGAVIBESEG13 'Oku fakakau 'eni 'i he taimi ni 'i he ngaahi sikani mo'ui. 'Oku downloads 'e he API 'a e ngaahi fu'u 'akau 'o e JavaScript tupu'anga tatau mo e ngaahi fe'auhi 'oku 'iloa ZXCVFIXVIBETOKEN4ZXCV 'a e kī, faka'ilonga, mo e ngaahi sipinga 'o e fakamo'oni mo e entropy mo e ngaahi matapa 'o e feitu'u. 'Oku fekau'aki 'a e ngaahi sieke mo'ui 'oku nau sivi'i 'a e tanaki'anga 'o e browser, ngaahi mape ma'u'anga fakamatala, auth mo e ngaahi fu'u 'akau 'o e kau fakatau, mo e ngaahi sipinga 'o e ma'u'anga fakamatala repo ZXCVFIXVIBETOKEN3ZXCV. 'Oku kei hoko pe 'a e toe tohi 'o e hisitōlia 'o e Git ko ha sitepu fakalelei'i; 'Oku fakatefito 'a e fakamatala mo'ui 'a e ZXCVFIXVIBETOKEN2ZXCV 'i he ngaahi fakapulipuli 'oku 'i ai 'i he ngaahi koloa 'oku fakafolau atu, tanaki'anga 'o e browser, mo e ngaahi me'a 'i he repo lolotonga.

Hard-coded secrets in frontend code or repository history allow attackers to impersonate services, access private data, and incur costs. This article covers the risks of secret leakage and the necessary steps for cleanup and prevention.

CWE-798

Impact

Leaking secrets such as API keys, tokens, or credentials can lead to unauthorized access to sensitive data, service impersonation, and significant financial loss due to resource abuse [S1]. Once a secret is committed to a public repository or bundled into a frontend application, it should be considered compromised [S1].

Root Cause

The root cause is the inclusion of sensitive credentials directly in source code or configuration files that are subsequently committed to version control or served to the client [S1]. Developers often hard-code keys for convenience during development or accidentally include .env files in their commits [S1].

Concrete Fixes

Rotate Compromised Secrets: If a secret is leaked, it must be revoked and replaced immediately. Simply removing the secret from the current version of the code is insufficient because it remains in the version control history [S1][S2].
Use Environment Variables: Store secrets in environment variables rather than hard-coding them. Ensure that .env files are added to .gitignore to prevent accidental commits [S1].
Implement Secret Management: Use dedicated secret management tools or vault services to inject credentials into the application environment at runtime [S1].
Purge Repository History: If a secret was committed to Git, use tools like git-filter-repo or the BFG Repo-Cleaner to permanently remove the sensitive data from all branches and tags in the repository history [S2].

How FixVibe tests for it

FixVibe now includes this in live scans. Passive secrets.js-bundle-sweep downloads same-origin JavaScript bundles and matches known API key, token, and credential patterns with entropy and placeholder gates. Related live checks inspect browser storage, source maps, auth and BaaS client bundles, and GitHub repo source patterns. Git history rewriting remains a remediation step; FixVibe's live coverage focuses on secrets present in shipped assets, browser storage, and current repo contents.